Office of the City Auditor. Audit Report. AUDIT OF ACCOUNTS PAYABLE APPLICATION CONTROLS (Report No. A10-003) October 2, 2009.

Transcription

1 CITY OF DALLAS Dallas City Council Office of the City Auditor Audit Report Mayor Tom Leppert Mayor Pro Tem Dwaine Caraway Deputy Mayor Pro Tem Pauline Medrano Council Members Jerry R. Allen Tennell Atkins Carolyn R. Davis Angela Hunt Vonciel Jones Hill Delia D. Jasso Sheffield Kadane Linda Koop Ann Margolin Ron Natinsky David A. Neumann Steve Salazar AUDIT OF ACCOUNTS PAYABLE APPLICATION CONTROLS (Report No. A10-003) October 2, 2009 City Auditor Craig D. Kinton

2 Table of Contents Executive Summary 1 Audit Results Page AMS Is Vulnerable to Unauthorized Employee Access and Modification Management Circumvented System Controls to Approve Payment for Invoices Greater Than $150,000 City Missed Discounts Because of Late Payments Appendices Appendix I Background, Objectives, Scope and Methodology 15 Appendix II Major Contributors to This Report 18 Appendix III Management s Response 19

3 Executive Summary Data was adequately protected during transmission to Bank of America and no transactions were identified that were not completely and accurately processed; however, computer access control weaknesses increase the potential for fraud. Further, payment of invoices was not always timely which results in missed discounts. By forming a ZIP Team to improve efficiencies in the Accounts Payable process, the City Controller s Office took steps to improve controls. The City faces increased risk that fraudulent activity could occur and not be timely identified by management. For example, the audit identified that: Inappropriate individuals may access the accounts payable system A fraud analysis tool that tracks system users and their activity was not activated Management used a bypass feature to circumvent system controls to pay 1,709 invoices (each invoice was a minimum of $150,000) without the required approval of the City Controller or Assistant City Managers Electronic fund transfers can be transmitted before management approval. Documentation was not adequate for $171 million in transfers to determine whether approvals were obtained before transactions were completed and one $5,178,706 invoice was approved after the electronic funds transfer An analysis of only 20 of the City s vendors showed that the City missed payment discounts totaling as much as $79,275 due to slow invoice processing. The audit objectives were to verify whether accounts payable transactions are accurate, complete, and authorized and to determine if the City is taking advantage of vendor offered payment discounts. For Fiscal Year (FY) 2007 and FY 2008 (through June 2008), the City s Accounts Payable Division of the City Controller s Office processed over 523,000 transactions representing $1.73 billion in payments to 11,738 vendors and employees. Management s response is included as Appendix III. 1

4 Audit Results 2

5 Overall Conclusions Security control weaknesses exist in the City Controller s Office administration of the American Management Systems (AMS) Advantage System. As a result, the AMS Advantage System is vulnerable to unauthorized employee access. Limited testing did not identify any specific incidents of fraud; however, additional testing could not be performed because the security logging feature within the AMS Advantage System was not enabled. System controls were overridden by management to facilitate faster processing and payment of invoices. Additionally, vendor payments were at risk because electronic funds transfers (EFTs) may have been transmitted before receiving management approval. Slow payment processing also caused vendor discounts to be missed. Regarding the accuracy and completeness of accounts payable transactions, nothing came to our attention that would indicate transactions were not processed completely and accurately or that the data was not adequately protected during transmission to Bank of America. Prior Reviews An internal control review reported in August 2008 by the City s external auditors, Grant Thornton, also identified certain security control weaknesses. Grant Thornton s results, however, were primarily focused on segregation of duties. The City s ZIP Team made recommendations in July 2008 to improve processing efficiencies between the departments and the City Controller s Office. The audit team reviewed and considered the ZIP Team recommendations, but did not duplicate the work of the ZIP Team. 3

6 AMS Is Vulnerable To Unauthorized Employee Access and Modification An employee can be granted unauthorized access as a new user to the AMS Advantage System. The new user setup process has been followed since system implementation in The process does not require authentication to determine if the new users are actually City employees and does not validate the authenticity of the requesting manager. Further, the quality control process does not result in an independent validation of the new user or the requesting manager. The AMS Advantage System has approximately 1,000 registered users. In 2008, four users per week, on average, were added to the AMS Advantage System. The following security control weaknesses were identified in the AMS Advantage System: Authentication of a new user is inappropriately delegated to the departments. The City Controller s Office has delegated the responsibility of authenticating a new AMS Advantage System user to each Department Security Coordinator (DSC). This delegation of responsibility reduces the workload of the City Controller s Office Central Security Administrator (CSA); however, the City faces an increased risk because the CSA does not provide an independent review of the new user request. Consequently, there is no assurance that an unauthorized individual will be denied access to the AMS Advantage System. Authentication of manager requesting new user is not adequate. The CSA relies upon an from the department manager and the CSA s institutional knowledge of 13,000 City employees and managers to validate that the approving manager is a City employee. After creation of the new user, the DSC forwards an or memorandum 1 from the requesting department Manager / Assistant Director / Director to the CSA in the City Controller s Office for final setup and activation. The CSA then will review the new user request to ensure the memorandum includes a position title of Manager, Assistant Director, or Director. If the title is included, then the new user is granted access. 1 For a memorandum, a wet signature, which is an original signature written on a sheet of paper, is required per the City Controller procedure manual. Only one memorandum has been submitted since

7 The City Controller s Office does not verify that the manager who is requesting the addition of a new user to the AMS Advantage System has been delegated the authority to initiate the request. Controls are also not in place to establish whether the requesting manager has been delegated the authority to approve a new user in the AMS Advantage System. In the previous financial system (RESOURCE), the City Controller s Office maintained for each department, a wet signature authorization list to verify that a requesting manager had approval authority for adding a new user to the system. Conversion to the AMS Advantage System resulted in terminating the wet signature validation and the City Controller s Office adopted an internal policy of accepting new users if the requesting individual was a manager or higher-level employee. Although a requesting manager may not have the authority to approve new users in their department, procedures in the City Controller s Office allow a new user to be setup if the "manager" submitted the request. Consequently, it is possible for a non-authorized manager to successfully request and approve a new user to the AMS Advantage System. Quality Control review is not sufficient. The procedure employed by the City Controller s Office to review new user setup requests impairs the independence of the quality control review. Upon completion of a new user setup, the CSA forwards the authorizing e- mail to a manager in the City Controller s Office. From the received s, the manager periodically performs a cursory review of selected new user setup requests. The reviews are limited to determining whether there are concerns with the identity of the requesting Department manager. If the manager in the City Controller s Office is unable to determine the identity of the requesting Department manager, then the manager seeks the advice of the CSA in determining whether the setup was properly completed. By obtaining the advice of the CSA, the independence of the quality control review is impaired. is not a secure method for requesting a new user setup. The use of an is not sufficient evidence to validate an individual s identity for granting access to the AMS Advantage System; however, the Human Resources department produces the Employee Cross Reference report that can be used to determine if the new user is a City employee. This report, however, was not being used by the City Controller s Office to validate the authenticity of new users. As a result, there is no assurance that the newly created user is a City employee. Further, the CSA does not have any written procedures on validating new users and the managers requesting the new users. Security in the AMS Advantage System is designed to prevent unauthorized creation, modification, and processing of accounts payable transactions; however, the process employed by the City Controller s Office to grant 5

8 access privileges mitigates the effectiveness of the system security structure. Users are assigned roles that are not appropriate for their job functions. Certain users were assigned roles that were not aligned with their assigned responsibilities. For example, certain users had the capability to update or modify over 1,100 tables in the AMS Advantage System. According to the Control Objectives for Information and Related Technology (COBIT ) 2, management should regularly review all accounts and related privileges for all users to ensure that critical and confidential information is withheld from those who should not have access to the information. After creation and activation of a new user, the City Controller's Office will only modify a user's configuration when a change request is received from the department. A user configuration may remain unchanged indefinitely because the City Controller's Office does not have an established procedure for periodically reviewing assigned user roles after the initial setup. If a user moves to another department or changes job functions, the user s AMS Advantage System configuration will not be systematically updated. Examples of inappropriate role assignments are described below: The City Controller and an Accounts Payable manager were improperly assigned update capability (ALL_UPD security role) in their user IDs. This role allows users to update data tables containing information for Accounts Payable, Procurement, Fixed Assets, and other Financial modules. Improper use of this role could jeopardize data integrity within these modules. The ALL_UPD security role should only be assigned to users that have an ongoing need to update all tables. Accounts Payable supervisors can circumvent system controls designed to ensure segregation of duties The supervisors are improperly assigned both the Invoice Approver and the Accounts Payable Manager Workflow roles. Because of this multi-role assignment, the Accounts Payable supervisors are able to circumvent the two-person approval controls inherent in the system s security design. An Invoice Approver must approve all invoice processing that originates in Accounts Payable. For invoices between $50,000 and $149,999, the Accounts Payable supervisor provides a second approval level. Since the Accounts Payable supervisor is 2 CobiT is a framework, or set of best practices, that provides support for the governance, management, control and audit needs of an organization. 6

9 assigned both workflow roles (first and second level approvals), system controls allowing proper segregation of duties are not being used and invoices may not be independently approved. Budget Management Services (BMS) employee has a workflow role (CENT_ADM) normally reserved for the Central Security Administrator and their designated back up. Prior to October 1, 2006, a Dallas Water Utilities (DWU) employee was assigned as a CSA backup; however, on October 1, 2006, the employee moved from DWU to BMS. Although two years had passed and the employee s function had changed, the CENT_ADM role had not been removed from the BMS employee s AMS Advantage System User ID. The CENT_ADM role is reserved for the CSA and allows the CSA to approve all new users added to the AMS Advantage System. When notified about the improper role assignment, the CSA in the City Controller s Office was unaware that the transferred employee was assigned the CENT_ADM user role. The risks of allowing improper role assignments and the lack of periodic user role reviews are that unauthorized users may be granted access to the AMS Advantage System. Two Accounts Payable Division employees have the ability to create (BUYER_DOC role) purchase order and master agreement documents. This role was assigned to a temporary employee and a full-time employee. The temporary employee had been assigned the BUYER_DOC role for over one and one-half years, beginning in March It was not possible to determine the date that the full-time employee was granted the role because of a lack of information. Individuals in a payment role should not have the ability to create purchase documents that could possibly be processed and paid by the same individual that created the purchase documents. The (BUYER_DOC) role is designed for use by staff in the Department of Business Development and Procurement Services (BDPS). Assignment of this role to a temporary employee is a more serious concern because fraudulent activities could occur, but the effects may not be realized until after the temporary employee has left the City. Because of internal control weaknesses in assigning user roles, the potential for fraudulent activity was increased. 7

10 Security logging feature is not enabled. The ability to track user security role changes and user activities in the AMS Advantage System is not enabled. Without a tracking mechanism in place, identification of potentially fraudulent activities becomes difficult to investigate. Although the AMS Advantage System has transaction logging capability, the implementation vendor, AMS, recommended that the City not use the feature because it would consume too many system resources and negatively affect system performance. AMS uses the term Audit Logging to refer to the process of monitoring and recording activity for a data table. Audit Logging provides the following information: o Date and time of activity o User or job identification (ID) that performed the activity o Name of the job that performed the activity o Activity that was performed o Snapshot of the data before the activity was performed o Snapshot of the data after the activity was performed If fraudulent activity were to occur, the security logs would provide the starting point for identifying the perpetrator(s) and activities leading up to or causing the event. According to COBIT, a logging and monitoring function will enable the early prevention and / or detection and subsequent timely reporting of unusual and / or abnormal activities that may need to be addressed. Recommendation I We recommend the City Controller: Develop and implement procedures to ensure that only those individuals needing access to the AMS Advantage System are granted access. Procedures should include the following: o Employ the Human Resources Employee Cross Reference Report to validate the employment status of a new user and to verify the employment status of the requesting manager 8

11 o o o o Validate the authority of the manager requesting a new user setup by implementing a wet signature authorization list for each department Implement new roles and workflow rules in the AMS Advantage System to eliminate the use of as an authorization mechanism Require City Controller management to perform substantive quality control reviews of new user setups Perform periodic reviews of all assigned user roles to ensure that individuals are only assigned roles needed to perform their job functions Implement the built-in security logging feature of the AMS Advantage System Management s Response Partially Agree. Currently, CIS has a centralized security authorization group. As part of the continued consolidation of citywide security into this group, the AMS security function will become a part of the centralized CIS security group. The group will administer security setup and administration to ensure compliance with City of Dallas Administrative Directives and CIS Security Policies and Procedures. The security policies will include access request, termination, documentation, validation, employment status reviews, and periodic reviews of roles and responsibilities. The cost impact to the City of Dallas for implementation of "Audit Logging" within the AMS System is estimated at $616, The recurring cost impact after the first year to the City of Dallas on a yearly basis is estimated at $92, Implementation Date The transition of the AMS security administration into the centralized CIS security team will be completed by December 31, The implementation date for Audit Logging within the AMS System is dependent upon budget and funding approval. Responsible Manager CIS Department, Security CIS Department, Applications 9

12 Management Circumvented System Controls to Approve Payments for Invoices Greater Than $150,000 City management circumvented the AMS Advantage System approval process controls to pay vendors over $887 million or 58 percent of the $1.53 billion in invoices paid to vendors from October 1, 2006 through June 30, Table I shows the number and dollar amount of invoices paid using the bypass feature for FY 2007 and FY 2008 (through June 30, 2008). Table I Approval Levels by Invoice Amount $150,000 and higher Total of All Invoices Number of Invoices Source: AMS Advantage System Invoices Paid Using Bypass Feature October 1, 2006 to June 30, 2008 FY 2007 FY 2008 Total Dollar Amount Number of Invoices Dollar Amount Number of Invoices Dollar Amount ,686, ,924,388 1, ,610,438 5,110 $ 570,935,361 1,611 $ 423,700,535 6,721 $ 994,635,896 Invoices were processed for payment using an AMS Advantage System feature known as bypass. This feature allows Accounts Payable Division managers to be the final approver for invoices without obtaining the approval of the City Controller or Assistant City Managers. Accounts Payable Division managers were allowed to approve and process invoices that should have been approved by the City Controller and Assistant City Managers prior to the creation of payment documents such as checks and EFTs. According to the Accounts Payable Division procedures manual, the bypass feature was initiated to prevent additional delays in processing payments. Since the bypass approval rule overrode the standard system approval rules, AMS Advantage System controls normally used to ensure proper segregation of duties and to prevent or minimize the potential for fraud were not operational. System application controls should be used to ensure segregation of duties and provide a level of assurance that payments are approved and made as intended. COBIT requirements state that an organization should ensure that source documents are prepared by authorized and qualified personnel following established procedures, taking into account adequate segregation of duties regarding the origination and approval of these documents. 10

13 Electronic Funds Transfers (EFTs) can be transmitted before management approvals Current approval processes and procedures make it possible for an EFT payment file to be transmitted to Bank of America before receiving Assistant City Manager (ACM) approvals. This possibility exists because the approval bypass feature was used and internal procedures require a wet approval signature from the ACM instead of an electronic signature. Based on document routing processes within the Accounts Payable Division, the City Controller s Office, and the Assistant City Manager s Office, there is no assurance that the payment requests will be signed by the ACM before transmission of the EFT payment file to Bank of America. For the period October 1, 2006 to June 30, 2008, payment requests greater than $150,000, totaling over $411 million were paid via EFTs. All approvals for payments greater than $150,000 are planned to occur the same day the City transmits the EFT file to Bank of America. Unforeseen circumstances may arise that could delay the manual EFT approval by an ACM. Although procedures state that approved payment requests are to be returned to Accounts Payable Division by 2:00 PM, the manual controls involved in the approval process are inadequate because they do not ensure that the requests are returned before transmission of the EFT file to Bank of America. Further, written procedures do not exist that describe the steps to be taken in the event a payment request is not returned to the Accounts Payable Division before the 2:00 PM deadline. To determine the effect of the bypass feature and wet signature approvals on EFT processing, an analysis was performed to determine if any EFTs were sent to the bank before receiving ACM approval. Our analysis of 111 invoices, each greater than $1,000,000 and paid by EFT, showed the following: One invoice totaling $5,178,707 was approved after the date of the EFT. The remittance advice document was dated December 4, 2006, but the ACM approved the payment transmittal the following day on December 5, Eighteen invoices, totaling $39,850,704, were approved either on or before the EFT. These invoices included a date stamp with the ACM s approval signature. Ninety-two invoices totaling $171,048,142 did not contain a date and time stamp indicating when the ACM approved the invoices. (It was not possible to determine whether wet signature approvals had been obtained prior to transmission of the EFT file because none of the invoices contained a date stamp). 11

14 The AMS Advantage System has the capability to process electronic approvals for invoices $150,000 or higher; however, the City did not implement the automated feature at this invoice approval level. Use of electronic approvals by the ACMs would add a system-based control to ensure that payment requests are approved at all levels before transmission of the EFT to Bank of America. During the audit, the City Controller s Office took steps to reduce risks associated with transmitting an EFT file by modifying procedures within the department. The revised procedures include: Electronic approval by the City Controller Wet signature by ACMs on the day preceding transmission of the EFT file However, since wet signatures are still used for approvals by the ACMs, there is no assurance that the approved documents will be returned to Accounts Payable Division by the scheduled EFT transmission time. Recommendation II We recommend the City Controller: Discontinue the use of the bypass feature in the AMS Advantage System Require Assistant City Managers to electronically approve all payment requests Document procedures related to processing payment requests made by electronic funds transfer Management s Response Partially Agree. The "bypass" feature has been discontinued since the end of fiscal year 2008 for the City Controller approval level. Wet signatures are required for Assistant City Managers, as this is an acceptable form of approval. Implementation Date Procedures will be documented by December 31, Responsible Manager Accounts Payable manager. 12

15 City Missed Discounts Because of Late Payments The City has missed opportunities to save money through vendor offered payment discounts 3 because of a slow payment processing cycle time. Based on a sampling of 20 vendors offering payment discounts for the period October 1, 2006 to June 30, 2008, the City received $47,476 in payment discounts; however, the City could have received an additional $79,276 in discounts if payments were timely made. Further analysis showed that Dallas Water Utilities (DWU) and Equipment and Building Services (EBS) Departments account for over 78 percent, or $61,634, of the missed discounts. The City has 6,712 external vendors. The auditors were unable to determine the total amount of discounts that the City missed during the audit period because discounts are not monitored within the Accounts Payable Division and current processes do not require the prompt payment discount terms to be entered into the AMS Advantage System if the City does not pay within the discount timeframe. Some discounts may also be missed due to data input error or omission. Recommendation III We recommend the City Controller: Develop and implement procedures within the Accounts Payable Division and the departments to ensure that: o Payment discounts are taken before the expiration of the discount period o All discount information is entered into the AMS Advantage System for missed discounts o Discounts taken and discounts missed are routinely monitored and reported to the department directors 3 The payment discount, sometimes referred to as a prompt payment discount, is an incentive that a vendor offers to the City in return for payment of an invoice within a specific period. 13

16 Management s Response Partially Agree. Discounts may have been missed as the result of overriding controls within departments to verify the accuracy of invoices prior to payment or invoice disputes. Such possible exceptions were not considered in the auditor's report. The cost of compliance with the auditor's recommendation to "require the prompt payment discount terms to be entered into the AMS Advantage System if the City does not pay within the discount timeframe," will have to be determined. Tracking purchase discounts lost in the system as recommended by the auditor would require additional accounting codes and programming changes. The new procedures would have to be tested extensively before implementation. Management will study this issue further to determine whether it is cost beneficial to further monitor discounts. Implementation Date To be determined. Responsible Manager Efficiency Team 14

17 Background, Objectives, Scope and Methodology Appendix I Background The Accounts Payable Division of the City Controller s Office provides payment processing services for City departments and ensures timely payment to vendors for goods and services received by the City. The primary payment processing functions are centrally managed by the Accounts Payable Division located in City Hall; however, certain processes are performed by departments located throughout the City. The Accounts Payable Division does not have direct control of accounts payable operations at the department level, but the Accounts Payable Division relies on personnel within the departments to perform the following procedures: Initiate payment processing procedures Ensure goods are properly received Forward appropriate documentation from the City department to the Accounts Payable Division When the departmental procedures are completed, the Accounts Payable Division performs final processing and distributes payments to vendors. On November 10, 2004, the City Council authorized an upgrade to the City s American Management Systems (AMS) Financial System from a mainframe environment to a web-based application known as AMS Advantage Financial 3. The mainframe-based system had been in operation since The Accounts Payable application is one component of the AMS Advantage suite of products. Other AMS Advantage products the City uses include AMS Advantage Procurement and AMS Advantage Fixed Assets. During the audit period, the Accounts Payable Division processed approximately 523,189 transactions representing over $1.73 billion in payments to vendors and employees. When performing the audit, consideration was given to the work performed by the Efficiency Team, through the Process Improvement for E 3 Government initiative (ZIP Team process), and the City's external auditors, Grant Thornton. The ZIP Team process review was performed in the Accounts Payable Division in May and June A list of operational improvement recommendations were presented to the City Controller s Office in July Grant Thornton performed 15

18 an internal control review of the AMS Advantage System and released a report on August 27, 2008 that identified certain control deficiencies related to security. Objectives, Scope and Methodology This audit was conducted under authority of the City Charter, Chapter IX, Section 3 and in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. The audit covered the period October 1, 2006 through June 30, We also examined certain events and transactions occurring before and after that period. Our audit objectives were to determine if: Accounts Payable input transaction data is accurate, complete, and authorized The City is taking advantage of vendor offered payment discounts The scope included financial data and controls for the audit period. The data reviewed included payment disbursements, invoices, purchase orders, and receivers extracted by the Communication and Information Systems (CIS) department from the AMS Advantage System. To achieve these objectives, we: Interviewed City department managers and staff to develop an understanding of relevant internal controls and evaluated relevant policies and procedures Reviewed Administrative Directives and other relevant documents and information Reviewed the Control Objectives for Information and related Technology (COBIT ) and evaluated the departments adherence to the COBIT process framework Evaluated security access controls within the AMS Advantage System with particular emphasis on security and workflow roles for the Accounts Payable Division 16

19 Performed various data analyses on over 523,000 accounts payable transactions Evaluated electronic funds transfer file transmission procedures Evaluated automated interface procedures that provide the mechanism to transmit vendor payments to Bank of America for electronic funds transfers Evaluated Accounts Payable Division payment processing procedures Determined the timeliness of payment processing and evaluated its effect on vendor offered discounts 17

20 Appendix II Major Contributors to This Report Gary Lewis, CPA, CIA, CFE Assistant City Auditor Tony Aguilar, CIA, CISA - Project Manager Harry Krewson, Auditor Lee Chiang, Auditor Theresa Hampden, CPA - Quality Control Manager 18

21 Appendix III Management s Response 19

22 20

23 21